BSidesSF Preview: My Email was Indexed by Google

The Security BSides San Francisco event is fast approaching, and Tripwire is excited that we have two of our brightest subject matter experts scheduled to hold sessions, both of which will be on Sunday, February 23, at the DNA Lounge.

Westin’s research and technology exploits have been featured in Forbes, on Good Morning America, Dateline, in The New York Times, The Economist and many other media outlets.

Westin has also won awards from MIT, CTIA, Oregon Technology Awards, SXSW, and Entrepreneur Magazine, and was recently named as one of Portland Business Journal’s prestigious “40 Under 40” professionals.

Westin has trained law enforcement and assisted in investigations using technology to recover stolen property, undermine organized crime rings, and more.

Last year Westin worked with a journalist from Mexico on the disclosure of a massive security vulnerability in Telmex’s subsidiary Prodigy email systems, which accounts for more than 90% of the market share for internet access across Mexico.

Westin found that he could access email accounts of anyone who had used their mobile or web email portal, and to make matters worse, he discovered that many of the accounts and emails were being indexed by Google, along with finding a number of other security issues with Prodigy’s email systems.

He promptly notified Google and Telmex of the issues, and then worked with El Economista, a popular business and economic newspaper in Mexico, on a story that was to be published online and in print. While the story was released on the publication’s website, the print edition was subsequently blocked. Google removed all of the exposed email account pages and email messages from their search results and cache within 48 hours.

At BSidesSF, Westin will be discussing the vulnerability in detail, how it was discovered, how it could have been exploited by bad actors, and how the story was ultimately blocked by Telmex from wider distribution through El Economista.

In 1996 Prodigy Mexico was acquired by Telmex, and until 2010 the default email for Prodigy users was through prodigy.net.mx, with the web and mobile-based portal both going through the same same domain.

“The application that runs the email systems had a number of security vulnerabilities, some due to configuration changes, unpatched systems, and a generally insecure architecture,” Westin said.

The entire email system as a whole was open to the world if you had the right URL – and to make matters worse, Google began indexing emails that were appearing in search results.

“If any user has logged into the webmail or wapmail application, it is safe to assume that that email account has been compromised,” Westin said. “The application in question did not have proper authentication in place, so once a customer logged into their email account, all that was needed by anybody to access it was the URL with the customer ID parameter, and no additional authentication was required by a user on that system or on any system. There was no session timeout.”

This was a security flub of immense proportions, and the issue highlights how a simple configuration change made by a development team can have huge implications for customers.

“Particularly when a large company is acquired, many systems can become forgotten in the mix,” Westin noted. “With improper asset management and discovery processes, and as legacy systems in particular age, they increase the risk of a major compromise.”

Telmex appears to have fixed the immediate problems and are continuing an “audit of their security protocols.” However, when Westin evaluated the application in question, he found that there were other issues with the webmail and mobile email portal, specifically that all logins were done via a non-SSL connection.

“In a nutshell, a major email system used by 90% of internet users in Mexico went completely unpatched for four years with 78 patchable vulnerabilities on servers which were running old versions of Apache and PHP, they lacked any semblance of security due to a configuration change, they didn’t provide SSL for web or mobile email users, and their were emails getting indexed by Google,” Westin said.

That meant anyone logging into a these email accounts from a public Wi-Fi hot spot could easily have had their credentials intercepted. For customers that are using these email accounts, Westin recommends they stop altogether, as they are not secure.

“At the very least, these users should change their passwords and not access email at all on mobile devices or webmail through any open or unsecured Wi-Fi,” Westin said. “I should note that SSL is not even an option for logging into the portal, as all SSL ports are disabled, so there is no way for users to secure their authentication even if they wanted to.”